Welcome, Guest. Please login or register.
March 29, 2024, 04:20:46 AM

Login with username, password and session length

Search:     Advanced search
we're back, baby
*
Home Help Search Login Register
f13.net  |  f13.net General Forums  |  The Gaming Graveyard  |  World of Warcraft  |  Topic: My WoW-account's been compromised 0 Members and 1 Guest are viewing this topic.
Pages: [1] 2 3 ... 10 Go Down Print
Author Topic: My WoW-account's been compromised  (Read 113958 times)
Xuri
Terracotta Army
Posts: 1199

몇살이세욬ㅋ 몇살이 몇살 몇살이세욬ㅋ!!!!!1!


WWW
on: December 28, 2009, 09:26:52 AM

Yay, I'm now in the exclusive group of people who've had their World of Warcraft account hacked.

Woke up to messages from friends about my main caracter botting for hours in Storm Peaks. Changed my password, logged in, found higher-level alts cleared of all items that could be sold, plus cash. Main character had bags cleared out, some stuff in bank missing, half resto gear gone, cash gone. Guild bank lost all of the 115 (gasp) gold it contained.

Very strange, this. I've never shared my account details with anyone. I've got up-to-date Windows XP, anti-virus and anti-malware programs, neither of which find anything after extensive searches. No suspicious programs running in hidden startup registry keys, no mysterious processes running. No Internet Explorer being used for anything. I've logged on once, maybe twice in the last three weeks - and the last time was more than half a week ago just to check on some friends. No e-mails from Blizzard about account/mail/password changes until the one I got after changing the account-password. Don't have the password written down anywhere, got no e-mails lying around with the account details, no post-it notes attached to my computer screen.

Good thing I've half stopped playing already, or this would've sucked a lot more than it currently does.

-= Ho Eyo He Hum =-
Signe
Terracotta Army
Posts: 18942

Muse.


Reply #1 on: December 28, 2009, 09:57:41 AM

Won't they give you your stuff back?   huh

My Sig Image: hath rid itself of this mortal coil.
Xuri
Terracotta Army
Posts: 1199

몇살이세욬ㅋ 몇살이 몇살 몇살이세욬ㅋ!!!!!1!


WWW
Reply #2 on: December 28, 2009, 10:03:54 AM

I've opened a GM ticket, but no reply yet, and no idea how long I have to wait until I actually get a reply.

"Wait time currently unavailable"

-= Ho Eyo He Hum =-
Jayce
Terracotta Army
Posts: 2647

Diluted Fool


Reply #3 on: December 28, 2009, 10:15:57 AM

Without exception I've seen that they return everything stolen in a hacking situation.  I'm increasingly curious to know how these are done. Most people who get hacked, it seems, can't figure out how it happened and their security habits seem pretty good.

Do you have an authenticator? You have to be on battle.net by now, so that's a given.  No possibility you were phished?  Could it be brute force?  Was your password simple or complex? Do you have your b.net email address anywhere on the intarwebs remotely associated to WoW?  Have you logged on to your account/account management at someone else's machine which might not have the meticulous security that yours does?

Witty banter not included.
Xuri
Terracotta Army
Posts: 1199

몇살이세욬ㅋ 몇살이 몇살 몇살이세욬ㅋ!!!!!1!


WWW
Reply #4 on: December 28, 2009, 10:28:24 AM

Yeah I'm pretty stumped as to how this happened.

I don't have an authenticator. I'm on battle.net, yes. No chance whatsoever that I got phished, though brute force is a possibility - the password wasn't all that long (8 chars, 1 number, the rest letters). The b.net email address is the same I use for pretty much everything else. I've been a slacker where that is concerned, I guess. Have not logged on to my account on any other computers in, say.. half a year.

-= Ho Eyo He Hum =-
Ingmar
Terracotta Army
Posts: 19280

Auto Assault Affectionado


Reply #5 on: December 28, 2009, 10:54:21 AM

Do you use the same password for other sites, etc? Always possible you signed up for something somewhere that doesn't take good care of your info.

The Transcendent One: AH... THE ROGUE CONSTRUCT.
Nordom: Sense of closure: imminent.
Sheepherder
Terracotta Army
Posts: 5192


Reply #6 on: December 28, 2009, 11:05:10 AM

Have not logged on to my account on any other computers in, say.. half a year.

Hackers will sit on a password if the account is active.
Morat20
Terracotta Army
Posts: 18529


Reply #7 on: December 28, 2009, 11:20:31 AM

Do you use the same password for other sites, etc? Always possible you signed up for something somewhere that doesn't take good care of your info.
We're pretty sure my wife got hers hacked because she used the same name/password combo on a guild website. All they had to do was hack someone's poorly installed forum software. DEFUNCT guild forums, in fact.

If you reported it within a few weeks of it getting hacked, they should be able to get you most of your stuff back, taking perhaps a week all told.

My wife had hers fixed in about 72 hours, although since it had been hacked a year prior and botted for three months before it got banned for gold-selling, she only got her account restored. They didn't have data on her items, and whatnot.
Cadaverine
Terracotta Army
Posts: 1655


Reply #8 on: December 28, 2009, 11:45:30 AM

It'll likely take a bit to get your stuff restored, as they're pretty busy these days.  My account was compromised about 2 - 3 weeks ago, and so far I've gotten one of my four characters restored.  I sent a follow up email to see what's going on with the other three, so hopefully I get them back within the next day or two, but I'm not holding my breath.

Every normal man must be tempted at times to spit on his hands, hoist the black flag, and begin to slit throats.
Morfiend
Terracotta Army
Posts: 6009

wants a greif tittle


Reply #9 on: December 28, 2009, 12:05:03 PM

Without exception I've seen that they return everything stolen in a hacking situation. 

Just a little FYI on this, they will return everything except guilds. Which is a major pain in the ass. My friend had his account hacked. He downloaded a mod that had a keylogger in it. The famers disbanded two guilds that where controlled by his account, and both had all the bank slots purchased. Blizzard returned everything except the guild bank slots. Which is a bitch.
Rasix
Moderator
Posts: 15024

I am the harbinger of your doom!


Reply #10 on: December 28, 2009, 12:10:40 PM

Well, this had convinced me to stick an authenticator on my account.  My account also has a unique password. 

I imagine I'll be hacked waiting for Cataclysm.   awesome, for real

-Rasix
Xuri
Terracotta Army
Posts: 1199

몇살이세욬ㅋ 몇살이 몇살 몇살이세욬ㅋ!!!!!1!


WWW
Reply #11 on: December 28, 2009, 12:42:52 PM

Guess I'll be getting one of those authenticators myself if this thread turns out to have a happy ending, and if not - well - it's not like I'm actually playing the game anyway, just waiting, as Rasix says, for Cataclysm. I find that I stop playing a while before every expansion after having depleted all the soloable/light-weight group content, then start back up to do all the new and improved "COLLECT 10 ANIMAL TUSKS PRONTO!"-quests when the expansions hit.

-= Ho Eyo He Hum =-
Jayce
Terracotta Army
Posts: 2647

Diluted Fool


Reply #12 on: December 28, 2009, 01:18:09 PM

Well, this had convinced me to stick an authenticator on my account.  My account also has a unique password. 

I imagine I'll be hacked waiting for Cataclysm.   awesome, for real

I'm right there with you.  We might have to consolidate all these threads...

Incidentally, if you have an authenticator, you can still get phished. There is a story on wow.com about someone that had it happen to them.  So I guess I'm saying... don't get phished... ok?  Ohhhhh, I see.

Witty banter not included.
Merusk
Terracotta Army
Posts: 27449

Badge Whore


Reply #13 on: December 28, 2009, 03:45:46 PM

How on earth do you get phished with the authenticator? Give out the login to someone?

Ed: this thread also inspired me to go and change my password again, and the e-mail my acct is linked to.  Unfortunatly B.net seems to be down as you can't login to account management right now.  At first I paniced and thought "Oh shit I've been hacked, too." But I'm able to get into the game and the password recovery system sent the e-mail to my correct address..

 awesome, for real
« Last Edit: December 28, 2009, 03:47:51 PM by Merusk »

The past cannot be changed. The future is yet within your power.
Chorulle
Terracotta Army
Posts: 59


Reply #14 on: December 28, 2009, 03:52:11 PM

Was going to do the same thing and noticed I couldn't log into b.net either.  Just bounces you back to the login page with no indication of an error or anything else, but can get into the game just fine so it's not just you.

"Saying that nobody needs more then web apps is like saying noone needs a fridge because we can all drive to T.G.I. goddamn Friday's for chicken wings"

- Walt Mosspuppet (Mike Arrington is wrong: Chrome OS won't matter)
Trippy
Administrator
Posts: 23612


Reply #15 on: December 28, 2009, 04:22:34 PM

How on earth do you get phished with the authenticator? Give out the login to someone?
I haven't bothered to read about the specific WoW authenticator hack but in general these things are vulnerable to "man in the middle" attacks. Essentially the user is tricked into entering the time-based authentication token into a program the attacker controls which passes that info to the attacker and then the attacker can enter that value into the real program. This is easy to do if you can trick the user into installing a keylogger trojan, for example.

The authenticator will protect you from people trying to brute force-guess your password but there are lots of malware out there, especially in Asia, that are specifically designed to capture game login information, and token-based two-factor authentication doesn't protect you in those situations.
Fordel
Terracotta Army
Posts: 8306


Reply #16 on: December 28, 2009, 06:30:58 PM

The best defense is simply to never stop playing!

and the gate is like I TOO AM CAPABLE OF SPEECH
Ubvman
Terracotta Army
Posts: 182


Reply #17 on: December 31, 2009, 02:17:26 AM

...

The authenticator will protect you from people trying to brute force-guess your password but there are lots of malware out there, especially in Asia, that are specifically designed to capture game login information, and token-based two-factor authentication doesn't protect you in those situations.



If someone had the expertise and ability to break the authenticators and hack into the system, they wouldn't be going after dinky WoW accounts. They'd be hacking into banks and stock broker accounts that uses the same things.
Merusk
Terracotta Army
Posts: 27449

Badge Whore


Reply #18 on: December 31, 2009, 03:28:24 AM

Hacking Banks: International Police and FBI are right on you in a sophisticated and hardcore way.
Hacking WOW accounts:  Blizzard might ban your ISP proxy and notify the FBI who might look into it in a cursory way.  Meanwhile you're fencing your "not-really-stolen-in-any-country-because-they're-virtual" goods for real cash, don't run into a host of shit and are still making a lot of money.

Thanks for the info, Trippy.

The past cannot be changed. The future is yet within your power.
bhodi
Moderator
Posts: 6817

No lie.


Reply #19 on: January 01, 2010, 10:36:34 AM

FBI doesn't get involved unless it's a large amount of money. This isn't large. They don't generally get involved in bank transactions either, unless it's over $20k I believe. Wire transfers aren't even tracked below that amount. Pretty much because everyone, including US interests, launder money that way.

While technically two factor auth is vulnerable to man in the middle, realistically it's not, especially in this circumstance - they'd have to capture your one-use key and the immediately log in as you.. and then would immediately get booted out when you log in over top of them as your first time "didn't go through" for some reason. They can't save the key and use it later since it's sequential - your next log in invalidates the key they just snooped from you.

Of course that's all irrelevant, since they are looking for low hanging fruit - they send a trojan hidden in a flash ad at wowmoviesdotcom, collect hundreds of passwords, and then when they get a gold order, they just go down the list, log into the ones they can get into, liquidate what they can, and transfer the money over. There is no realistic way of getting into an account that has a token generator except by stealing the token (unlikely) or cracking the generator (unlikely in the extreme).

Also, once they actually log into the account, the clock is ticking for them - the amount of time they can use the account is generally measured in hours. That's why they save up the lists of accounts until they need them (and why hacks happen weeks or even months after the actual incident). The most common methods for getting passwords are from password reuse from fan/video sites, kiosk/internet cafes, auto-installed trojans (generally flash), and exe files downloaded and run as wow addons.


Edit: What twisted literary reason are you supposed to put periods inside parenths in a sentence? Yeah, fuck it (this.) See how dumb that looks?
« Last Edit: January 01, 2010, 10:48:23 AM by bhodi »
Trippy
Administrator
Posts: 23612


Reply #20 on: January 01, 2010, 12:41:51 PM

While technically two factor auth is vulnerable to man in the middle, realistically it's not, especially in this circumstance - they'd have to capture your one-use key and the immediately log in as you.. and then would immediately get booted out when you log in over top of them as your first time "didn't go through" for some reason. They can't save the key and use it later since it's sequential - your next log in invalidates the key they just snooped from you.
It's not that hard. The same keylogger that's being used to capture the account information and authentication token is used to prevent the user's input from passing through properly to the application. I.e. their input never gets passed to the system.
Jayce
Terracotta Army
Posts: 2647

Diluted Fool


Reply #21 on: January 01, 2010, 01:14:10 PM

The article I was thinking of was this one.  The relevant quote:

Quote
... Do you have a way to get around the Authenticator?
Actually yes. For the very FIRST login, I can get around it. So I have to change the password then or make a quick clean sweep of the account.

Ah, how do you do it?
Just enter the Authenticator code they put into my site.

You get phished, the guy (or more likely, his script so it all happens fast) is watching real time, he logs in before the number expires, changes the password (so you can't log in over him), then does a clean sweep.  But he also says that low hanging fruit is where it's at.  At the time he had hacked 50 accounts, no authenticators yet.

Witty banter not included.
Rasix
Moderator
Posts: 15024

I am the harbinger of your doom!


Reply #22 on: January 06, 2010, 11:20:07 AM

Just got an obvious phishing email.  Ohh, I changed my password did I?  No, I don't think I did, and I'm not going to click your link.

-Rasix
Xuri
Terracotta Army
Posts: 1199

몇살이세욬ㅋ 몇살이 몇살 몇살이세욬ㅋ!!!!!1!


WWW
Reply #23 on: January 06, 2010, 12:09:36 PM

Oh. Uhm. Yeah, status update: Blizzard "unhacked" my account yesterday and restored all lost items and gold, on all affected characters. So.. yay. Now I can happily go back to idling until Cataclysm arrives. :P

-= Ho Eyo He Hum =-
Kageh
Terracotta Army
Posts: 359


Reply #24 on: January 11, 2010, 01:30:10 PM

How on earth do you get phished with the authenticator? Give out the login to someone?
I haven't bothered to read about the specific WoW authenticator hack but in general these things are vulnerable to "man in the middle" attacks. Essentially the user is tricked into entering the time-based authentication token into a program the attacker controls which passes that info to the attacker and then the attacker can enter that value into the real program. This is easy to do if you can trick the user into installing a keylogger trojan, for example.

The authenticator will protect you from people trying to brute force-guess your password but there are lots of malware out there, especially in Asia, that are specifically designed to capture game login information, and token-based two-factor authentication doesn't protect you in those situations.


Been thinking about that scenario actually as about how vulnerable the WoW mechanism is to man-in-the-middle attacks too, but I think it wouldn't really work well with WoW because you can only log in once onto an account. Re-trying your login and successfully logging in right after your first attempt would kick the attacker out, and the intercepted tokens are worthless once used. Blizzard used to allow token re-use within the 30 second window, but they changed that with 3.1 or 3.2.
bhodi
Moderator
Posts: 6817

No lie.


Reply #25 on: January 11, 2010, 02:48:52 PM

Been thinking about that scenario actually as about how vulnerable the WoW mechanism is to man-in-the-middle attacks too, but I think it wouldn't really work well with WoW because you can only log in once onto an account. Re-trying your login and successfully logging in right after your first attempt would kick the attacker out, and the intercepted tokens are worthless once used. Blizzard used to allow token re-use within the 30 second window, but they changed that with 3.1 or 3.2.

You get phished, the guy (or more likely, his script so it all happens fast) is watching real time, he logs in before the number expires, changes the password (so you can't log in over him), then does a clean sweep.
Kageh
Terracotta Army
Posts: 359


Reply #26 on: January 11, 2010, 03:25:38 PM

Been thinking about that scenario actually as about how vulnerable the WoW mechanism is to man-in-the-middle attacks too, but I think it wouldn't really work well with WoW because you can only log in once onto an account. Re-trying your login and successfully logging in right after your first attempt would kick the attacker out, and the intercepted tokens are worthless once used. Blizzard used to allow token re-use within the 30 second window, but they changed that with 3.1 or 3.2.

You get phished, the guy (or more likely, his script so it all happens fast) is watching real time, he logs in before the number expires, changes the password (so you can't log in over him), then does a clean sweep.

They would require at least a second token though, because the first one you provide them with expires when used. So they can either use it to change your password (still only possible on the web site, or?) or to log in into the game. After which they would have to phish you for a second somehow. I remember this discussion going back and forth when people found out the token was re-usable in the 30-second window - probably the reason why Blizzard changed that.

Even back before that, assuming he would have anything fully scripted for changing password on the wow account management front end, considering he had 30 seconds at best (which he didn't have even then, best case were 30 seconds minus the time it took the authenticator user to read and type his 6/8 digits in) to navigate through a series of http requests/replies and wait for the server to process the password change request, it seems like a pretty slim opening.

When reading the original post, I was thinking about intercepting the client-server communication when the user logs in. I overlooked the web pages detail, it is probably a lot easier if you can trick him into inputting his credentials in something that looks like the account web page, where he can just be scared off with an "Unavailable" error or something like that.
Trippy
Administrator
Posts: 23612


Reply #27 on: January 11, 2010, 03:27:14 PM

I mentioned this somewhere else but if you are already trapping keyboard events to steal passwords it's trivial to "corrupt" the data being sent to the actual applications. I.e. you would "lock" the user out of their account after capturing the user information and authenticator code by changing the authenticator code that is sent to WoW to some bogus value. Then you have all the time in the world to change their account information without worrying about being kicked out because the user logged in after you.
Sheepherder
Terracotta Army
Posts: 5192


Reply #28 on: January 11, 2010, 06:56:18 PM

I mentioned this somewhere else but if you are already trapping keyboard events to steal passwords it's trivial to "corrupt" the data being sent to the actual applications.

You mean to say that hiding a keyboard driver inside the kernel allows you to modify both keyboard input and output?  That's crazy talk!
bhodi
Moderator
Posts: 6817

No lie.


Reply #29 on: January 11, 2010, 09:50:49 PM

All this, of course, is way more trouble than it's worth on an individual basis. What we're talking about here is targeted compromise rather than a shotgun approach.
Sheepherder
Terracotta Army
Posts: 5192


Reply #30 on: January 11, 2010, 10:29:07 PM

Except keylogging is the shotgun approach, and fucking with the output of the keyboard would require almost no extra effort.  Go yell at Kageh for bringing up motherfucking Blue Pill in the other thread if you need to vent at a crazy person.
« Last Edit: January 11, 2010, 10:36:03 PM by Sheepherder »
Numtini
Terracotta Army
Posts: 7675


Reply #31 on: January 12, 2010, 05:05:33 AM

Quote
I mentioned this somewhere else but if you are already trapping keyboard events to steal passwords it's trivial to "corrupt" the data being sent to the actual applications. I.e. you would "lock" the user out of their account after capturing the user information and authenticator code by changing the authenticator code that is sent to WoW to some bogus value. Then you have all the time in the world to change their account information without worrying about being kicked out because the user logged in after you.

You'd have to do that in real time. It's not enough to cache the token and keep the user out, you then have to log in within what? 30 seconds? Operators are standing by? I don't think there's a market for that.

Which does bring up a nasty thought. Will this increase bot farming and other things like that to make up for items stolen from accounts?


If you can read this, you're on a board populated by misogynist assholes.
Sheepherder
Terracotta Army
Posts: 5192


Reply #32 on: January 12, 2010, 06:42:00 AM

You'd have to do that in real time. It's not enough to cache the token and keep the user out, you then have to log in within what? 30 seconds? Operators are standing by? I don't think there's a market for that.

Yes, exactly that.  I used to fuck with this one farmbot in Winterspring for giggles until the person tending the bot herd would get pissed and try and gank me.

(It had the capacity to defend itself in pvp, but when in combat it would move one step at a time to preserve maximum range, so you could whack it with anything hostile and train it back across the zone into the Everlook guards)
Jayce
Terracotta Army
Posts: 2647

Diluted Fool


Reply #33 on: January 13, 2010, 03:28:01 PM

Can you delink the authenticator once you're in account management? Their script could login there (using your authenicator), delink you, change your password, then login to the game.

Also, some of these are professional gold farmers, but I'm getting the idea that some of the (especially phishing) attacks are script kiddies running a nickel and dime business knocking off individual accounts manually to resell to the big gold sellers.  Flash exploiting requires more infrastructure that is probably the mark of a pro.

Witty banter not included.
Trippy
Administrator
Posts: 23612


Reply #34 on: January 13, 2010, 03:35:01 PM

Quote
I mentioned this somewhere else but if you are already trapping keyboard events to steal passwords it's trivial to "corrupt" the data being sent to the actual applications. I.e. you would "lock" the user out of their account after capturing the user information and authenticator code by changing the authenticator code that is sent to WoW to some bogus value. Then you have all the time in the world to change their account information without worrying about being kicked out because the user logged in after you.

You'd have to do that in real time. It's not enough to cache the token and keep the user out, you then have to log in within what? 30 seconds? Operators are standing by? I don't think there's a market for that.
Yes you would have to have an alert system with people monitoring them to be able to steal accounts using this method so it won't be as easy as the way things are now where many/most people don't use the authenticator but my point all this time is that the authenticator does not guarantee your account can not be hacked.
Pages: [1] 2 3 ... 10 Go Up Print 
f13.net  |  f13.net General Forums  |  The Gaming Graveyard  |  World of Warcraft  |  Topic: My WoW-account's been compromised  
Jump to:  

Powered by SMF 1.1.10 | SMF © 2006-2009, Simple Machines LLC